[dns-operations] Multiple DS DNSSEC validation

Richard Lamb slamb at xtcn.com
Tue Jul 11 04:05:42 UTC 2017


Sounds like load balancing stuff done by some vendors and should work.
R


On Monday, July 10, 2017, Rubens Kuhl <rubensk at nic.br> wrote:

>
> My reading of DNSSEC RFCs couldn't negate or confirm whether the DNSSEC
> architecture I'll describe below works or not. Any hints on that are
> appreciated.
>
> A zone is delegated to 3 name servers (unicast for simplicity); those 3
> name servers operate independently of each other, each of them having an
> unique key for that same zone. All of them have all 3 DNSKEY responses for
> that zone, the DNSKEY records being the same among all of them.
>
> A DS record for each of the name servers key is inserted into parent,
> making all RRSIGs produced by any of the name servers valid, including the
> RRSIG for the DNSKEY records.
>
> it just happens that depending on name server an specific key will be
> used, since each one only has its own private key, although knowing the
> public keys of all 3.
>
>
> Does this break anything ? If it indeed breaks, is there an alternative ?
>
>
>
> Rubens
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net <javascript:;>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170710/56762325/attachment.html>


More information about the dns-operations mailing list